Merge pull request #1235 from joshuagl/joshuagl/expiration-check

client: update expiration check to match spec
2026-05-24 10:08:28 +00:00 · 2020-12-11 15:04:11 +01:00 · 2020-12-11 15:04:11 +01:00 · b2e3c83988
commit b2e3c83988
parent cdf069a8a9 fccd078634
2 changed files with 28 additions and 6 deletions
--- a/tests/test_updater.py
+++ b/tests/test_updater.py
@ -60,6 +60,11 @@
 import unittest
 import json

+if sys.version_info >= (3, 3):
+  import unittest.mock as mock
+else:
+  import mock
+
 import tuf
 import tuf.exceptions
 import tuf.log
@ -670,14 +675,31 @@ def test_2__ensure_not_expired(self):
    root_metadata = self.repository_updater.metadata['current']['root']
    self.repository_updater._ensure_not_expired(root_metadata, 'root')

-    # 'tuf.exceptions.ExpiredMetadataError' should be raised in this next test condition,
-    # because the expiration_date has expired by 10 seconds.
+    # Metadata with an expiration time in the future should, of course, not
+    # count as expired
+    expires = tuf.formats.unix_timestamp_to_datetime(int(time.time() + 10))
+    expires = expires.isoformat() + 'Z'
+    root_metadata['expires'] = expires
+    self.assertTrue(tuf.formats.ROOT_SCHEMA.matches(root_metadata))
+    self.repository_updater._ensure_not_expired(root_metadata, 'root')
+
+    # Metadata that expires at the exact current time is considered expired
+    expire_time = int(time.time())
+    expires = \
+      tuf.formats.unix_timestamp_to_datetime(expire_time).isoformat()+'Z'
+    root_metadata['expires'] = expires
+    mock_time = mock.Mock()
+    mock_time.return_value = expire_time
+    self.assertTrue(tuf.formats.ROOT_SCHEMA.matches(root_metadata))
+    with mock.patch('time.time', mock_time):
+      self.assertRaises(tuf.exceptions.ExpiredMetadataError,
+                        self.repository_updater._ensure_not_expired,
+                        root_metadata, 'root')
+
+    # Metadata that expires in the past is considered expired
    expires = tuf.formats.unix_timestamp_to_datetime(int(time.time() - 10))
    expires = expires.isoformat() + 'Z'
    root_metadata['expires'] = expires
-
-    # Ensure the 'expires' value of the root file is valid by checking the
-    # the formats of the 'root.json' object.
    self.assertTrue(tuf.formats.ROOT_SCHEMA.matches(root_metadata))
    self.assertRaises(tuf.exceptions.ExpiredMetadataError,
                      self.repository_updater._ensure_not_expired,
--- a/tuf/client/updater.py
+++ b/tuf/client/updater.py
@ -2266,7 +2266,7 @@ def _ensure_not_expired(self, metadata_object, metadata_rolename):
    expires_timestamp = tuf.formats.datetime_to_unix_timestamp(expires_datetime)

    current_time = int(time.time())
-    if expires_timestamp < current_time:
+    if expires_timestamp <= current_time:
      message = 'Metadata '+repr(metadata_rolename)+' expired on ' + \
        expires_datetime.ctime() + ' (UTC).'
      raise tuf.exceptions.ExpiredMetadataError(message)